GHSA-7gwj-7fhm-vw4w – drupal/core

Package

Manager: composer
Name: drupal/core
Vulnerable Version: >=8.0.0 <8.7.11 || >=8.8.0 <8.8.1

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:H/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:L/VI:H/VA:N/SC:L/SI:H/SA:N

EPSS: N/A pctlN/A

Details

Drupal core unrestricted file upload Drupal 8 core's file_save_upload() function does not strip the leading and trailing dot ('.') from filenames, like Drupal 7 did. Users with the ability to upload files with any extension in conjunction with contributed modules may be able to use this to upload system files such as .htaccess in order to bypass protections afforded by Drupal's default .htaccess file. After this fix, file_save_upload() now trims leading and trailing dots from filenames.

Metadata

Created: 2024-05-15T20:43:00Z
Modified: 2024-05-15T20:43:00Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-7gwj-7fhm-vw4w/GHSA-7gwj-7fhm-vw4w.json
CWE IDs: ["CWE-434"]
Alternative ID: N/A
Finding: F027
Auto approve: 1